{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-1506", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-02-20T18:51:53.629Z", "datePublished": "2025-02-28T05:23:16.008Z", "dateUpdated": "2026-04-08T16:58:01.611Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:58:01.611Z"}, "affected": [{"vendor": "roxnor", "product": "Wp Social Login and Register Social Counter", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.1.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Wp Social Login and Register Social Counter plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.1.0. This is due to missing or incorrect nonce validation on the counter_access_key_setup() function. This makes it possible for unauthenticated attackers to update social login provider settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "title": "Wp Social Login and Register Social Counter <= 3.1.0 - Cross-Site Request Forgery to Settings Update", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/669833b3-1689-4051-8990-c6eddae4858f?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3246155/wp-social/trunk/inc/counter.php"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-social/tags/3.0.9/inc/counter.php#L189"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Brian Mungai"}], "timeline": [{"time": "2025-02-27T16:23:38.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-02-28T14:53:10.258231Z", "id": "CVE-2025-1506", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-28T14:54:36.064Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-1506", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-02-28T14:53:10.258231Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-28T14:54:27.224Z"}}], "cna": {"title": "Wp Social Login and Register Social Counter <= 3.1.0 - Cross-Site Request Forgery to Settings Update", "credits": [{"lang": "en", "type": "finder", "value": "Brian Mungai"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "xpeedstudio", "product": "Wp Social Login and Register Social Counter", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "3.1.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-02-27T16:23:38.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/669833b3-1689-4051-8990-c6eddae4858f?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3246155/wp-social/trunk/inc/counter.php"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-social/tags/3.0.9/inc/counter.php#L189"}], "descriptions": [{"lang": "en", "value": "The Wp Social Login and Register Social Counter plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.1.0. This is due to missing or incorrect nonce validation on the counter_access_key_setup() function. This makes it possible for unauthenticated attackers to update social login provider settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-02-28T05:23:16.008Z"}}}, "cveMetadata": {"cveId": "CVE-2025-1506", "state": "PUBLISHED", "dateUpdated": "2025-02-28T14:54:36.064Z", "dateReserved": "2025-02-20T18:51:53.629Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-02-28T05:23:16.008Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wpmet:wp_social_login_and_register_social_counter:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "63E4D3FB-21A4-4BF1-97E4-A1E115C650A0", "versionEndExcluding": "3.1.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Wp Social Login and Register Social Counter plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.1.0. This is due to missing or incorrect nonce validation on the counter_access_key_setup() function. This makes it possible for unauthenticated attackers to update social login provider settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}, {"lang": "es", "value": "El complemento Wp Social Login and Register Social Counter para WordPress es vulnerable a Cross-Site Request Forgery en todas las versiones hasta la 3.1.0 incluida. Esto se debe a la falta o la validaci\u00f3n incorrecta de nonce en la funci\u00f3n counter_access_key_setup(). Esto hace posible que atacantes no autenticados actualicen la configuraci\u00f3n del proveedor de inicio de sesi\u00f3n social a trav\u00e9s de una solicitud falsificada, siempre que puedan enga\u00f1ar a un administrador del sitio para que realice una acci\u00f3n como hacer clic en un enlace."}], "id": "CVE-2025-1506", "lastModified": "2025-08-01T02:02:35.703", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2025-02-28T06:15:25.557", "references": [{"source": "security@wordfence.com", "tags": ["Product"], "url": "https://plugins.trac.wordpress.org/browser/wp-social/tags/3.0.9/inc/counter.php#L189"}, {"source": "security@wordfence.com", "tags": ["Patch"], "url": "https://plugins.trac.wordpress.org/changeset/3246155/wp-social/trunk/inc/counter.php"}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/669833b3-1689-4051-8990-c6eddae4858f?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-352"}], "source": "nvd@nist.gov", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T02:02:51.815446+00:00", "value": {"mitigation_remediation": ["Update the plugin to a version beyond 3.1.0 to fix the CWE-352 nonce validation flaw.", "If an update is impossible, remove or disable the plugin to stop the CSRF vector associated with CWE-352.", "Enforce strong authentication controls and limit administrator exposure to phishing attacks that could exploit the CWE-352 CSRF weakness."], "summary": {"action": "Patch", "impact": "Unauthorized configuration changes via CSRF to social login settings"}, "threat_synthesis": {"affected_systems": "The vulnerability affects all releases of the Wp Social Login and Register Social Counter plugin up through version 3.1.0. WordPress sites that have installed this plugin, whether at default settings or with custom provider configurations, are at risk. Administrators and site owners of any WordPress deployment running these vulnerable plugin versions should be aware that an attacker can alter provider settings without authentication.", "description_and_impact": "The Wp Social Login and Register Social Counter WordPress plugin contains a CSRF vulnerability (CWE-352) that allows an unauthenticated attacker to change the social login provider configuration. The flaw stems from missing or incorrect nonce validation in the counter_access_key_setup function. By crafting a forged request and luring an administrator into clicking a link, the attacker can submit new settings, potentially taking control of social authentication flows and redirecting users to malicious endpoints.", "risk_and_exploitability": "With a CVSS score of 4.3 the vulnerability is considered moderate. The EPSS score of less than 1% indicates a low probability of exploitation. The attack requires social engineering to get a site administrator to click a crafted link, thus the feasibility is limited but still present. The vulnerability is not listed in the CISA KEV catalog. The improper nonce handling makes the attack straightforward for a determined attacker who can target sites with the plugin."}}}}, "created": "2026-04-22T02:15:05.409647+00:00", "updated": "2026-04-22T02:15:05.409658+00:00", "vendors": []}